Amazon Elastic Container Service (ECS) offers a powerful feature known as ECS Exec, revolutionizing how developers interact with containers within ECS clusters, bringing efficient management and debugging.
Understanding Amazon ECS Exec
Amazon ECS Exec simplifies container management by enabling direct access to containers in an ECS cluster without requiring SSH or other external access. It provides a secure, interactive shell to troubleshoot, diagnose, and monitor containers in real time, enhancing operational efficiency.
Key Benefits of ECS Exec
- Streamlined Debugging: Debugging containerized applications becomes more accessible with ECS Exec, allowing real-time access to container environments without compromising security.
- Improved Troubleshooting: Gain deeper insights into container behavior by executing commands within the container context, aiding in identifying and resolving issues swiftly.
- Enhanced Security: ECS Exec ensures secure interactions by utilizing AWS IAM policies, restricting access to authorized users and roles only.
How to Use ECS Exec
Prerequisites
Before diving in, ensure you have the following:
- AWS CLI installed
- Session Manager plugin for the AWS CLI installed (Installation Guide)
Creating an IAM Role
- Navigate to IAM > Roles > Create Role.
- Choose a custom trust policy and paste the provided JSON content.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Create a role without adding a policy and name it. Edit the role to create an inline policy using specific JSON values for resources based on your AWS region, account ID, and cluster name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:YOUR_REGION_HERE:YOUR_ACCOUNT_ID_HERE:log-group:/aws/ecs/CLUSTER_NAME:*"
}
]
}
ECS Task Configuration
- Access ECS and Update Task Definition.
- Create a new revision, select the previously created role for “Task role” (distinct from “Task execution role”), and update the task definition.
- Ensure you add the following JSON snippet under containerDefinitions to enable ‘initProcessEnabled’:
"containerDefinitions": [
{
"linuxParameters": {
"initProcessEnabled": true
}
}
],
Service Update
- Navigate to your ECS Service and Update. Ensure the revision is set to the latest version and complete the update. This action provisions your new task with its designated role.
Enabling Execution Commands
Once, the service has been updated, it is time to enable execute command:
aws ecs update-service --cluster CLUSTER_NAME --service SERVICE_NAME --region REGION --enable-execute-command --force-new-deployment
To see if the execution is enabled properly, you should run:
aws ecs describe-services --cluster CLUSTER_NAME--region REGION --service SERVICE_NAME
Output would result in showing that Execute Command is enabled: "enableExecuteCommand": true
To ‘EXEC into an instance’ use following syntax:
aws ecs execute-command --region REGION --cluster CLUSTER_NAME --task TASK_ARN --container CONTAINER --command "sh" --interactive
The end goal would be successful connectivity to the container as showed in the example below:
aws ecs execute-command --region eu-west-1 --cluster devcluster --task arn:aws:ecs:eu-west-1:############:task/devcluster/9f14b0d5b59d4f688f6074debf6332d6 --container website --command "sh" --interactive
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
Starting session with SessionId:
ecs-execute-command-0e18738065c7daa0a
For a detailed walk-through, refer to the Amazon ECS Exec guide.
Enabling access to all your instances becomes efficient with ECS Exec, allowing streamlined container management without compromising security.
About
With more than 20 years of experience in the technology sector, Mario has dedicated the last decade to offering consultancy, support, and strategic guidance to clients across various cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.